CrySyS Describes Long-term Cyber-spying Malware just Discovered

Researchers belonging to CrySyS Lab a Hungary-situated security company recently unearthed one cyber-espionage scheme, which covered ten years-or-more of operation while utilizing authentic software programs in combination with commodity malware devices, and aimed attack on government intelligence organizations, heavy industries as well as political activists especially across countries of Eastern Europe. Notably, existing for such a long period in the past, the scheme started acquiring fresh momentum during July-December 2012, the researchers report.

CrySyS explains that the spying perpetrators plant one authentic edition of TeamViewer, software utilized to carry out remote administration, onto victims' computers, followed with altering the same with the help of Dynamic Link Library (DLL) compromising so the target machine can be controlled remotely.

Specifically, in addition to remotely controlling malware-infected PCs, the perpetrators may as well exploit TeamViewer for planting more programs towards acquiring crucial info, data or files from those same PCs, CrySyS' report notes.

The company's experts state that since TeamViewer is employed in the attack, the malevolent combo kit can be conveniently called 'TeamSpy.'

And though TeamSpy is less complicated than few select cyber-weapons lately found, still it's comparable to certain sophisticated cyber-spying devices namely Flame, Duqu, Red October, and Gauss.

Undoubtedly, the utilization of TeamSpy is to strike vital targets as several facts prove so. These are the victims' IPs; familiar operations against select targets; tracking down potentially high-status targets; filenames utilized during info-capturing operations; uncommon paramilitary language that select structures use, etc.

Notably, during launching of the assaults, the criminals' interest lie within PDF files like *.vmdk, *.tc (disk images) or *.pdf; office files and documents like *.rtf, *.doc, *.mdb or *.xls; along with files apparently having sensitive information like passwords (*saidumlo*, *secret*, *pass*, *napor* or *cekper*) and encryption keys like *.p12 or *.pgp.

But, organizations can remain safe if they scan to determine whether "teamviewer.exe" software is present on their computers; prevent gaining of admission into familiar IP addresses and command-and-control URLs; as also enforce one stringent patch-management policy in all departments of the organization. For the particular attack, well-known exploit toolkits were utilized which attacked vulnerabilities in familiar security software, the researchers wind up.